GDPR: INTRODUCING LANDMARK CHANGES TO DATA PROTECTION
General Data Protection Regulation
The General Data Protection Regulation (GDPR) introduces sweeping changes to existing data protection laws and it will come into effect on May 25, 2018. Businesses affected by GDPR will need to make substantial efforts in order to ensure compliance due to its broad scope. The importance of compliance is underscored by high fines which may be imposed for material infringements of the GDPR - the higher of 4% of annual worldwide turnover and EUR 20 mil.
The GDPR is directly applicable in all EU member states and creates a fully harmonized set of data protection rules. These rules apply to businesses, organizations and individuals who act as personal data “controllers” - and “processors”. A controller controls and is responsible for the keeping and use of personal data on computer or in manual files. For example, a business that keeps and uses customer or employee records which include personal data is a controller with respect to such personal data. On the other hand, a processor keeps and processes personal data on behalf of a controller (e.g. a contractor storing personal data on its servers for the data controller).
Applicability of the GDPR is not sector specific as it applies to all controllers and processors in the EU. Furthermore, the GDPR has an expanded extraterritorial reach making it applicable to businesses based outside the EU that offer goods and services to, or monitor individuals in, the EU.
Some of the most important obligations arising under the GDPR are briefly described below.
Consent to Process Personal Data
Processing of personal data requires that the individual grants its explicit consent, unless the GDPR provides for a specific legal basis for the processing (e.g. if processing is necessary for the performance of a contract). It will be much harder to obtain a valid consent under the GDPR and an individual will be entitled to withdraw its consent at any time.
“To do”: Review your current consent forms and processes of their obtaining and revise them in order to ensure full compliance with the GDPR. Implement processes for the event that consent is withdrawn.
Rights of Data Subjects
The GDPR introduces new rights of individuals, including the right to be forgotten (obligation to erase all personal data if requested), the right to be notified of a breach (obligation to notify the Data Protection Office and in some cases also the individual), right to access (obligation to confirm that personal data is processed and provide details of the processing) etc.
“To do”: Analyze the likelihood that individuals will exercise their rights against you and implement necessary processes accordingly.
The GDPR requires that the controllers and processors must be able to demonstrate that they comply with the applicable rules. This will require significant record keeping efforts. In certain cases, business will also be obligated to carry out a privacy impact assessment and consult the Data Protection Office.
“To do”: Consider the extent of record keeping activities applicable to your business and work out whether you will have to carry out a privacy impact assessment.
The obligation to ensure security of personal data is strongly emphasized in the GDPR, but this obligation is expressed only in general terms and does not provide specific guidance regarding its implementation by businesses. In order to comply with this obligation, you may need to employ various measures, such as encryption of data.
“To do”: Consider carrying out a security audit and setting up a breach management processes where appropriate. Regularly review security measures to ensure that sufficient data security is guaranteed at all times.
Data Protection Officer
Certain businesses will be obligated to designate a “Data Protection Officer” (e.g. businesses whose core activity requires large scale systematic monitoring or large scale processing of sensitive personal data). The Data Protection Officer will be responsible for monitoring of compliance with the GDPR, providing guidance to employees and cooperation with the Data Protection Office and must report directly to the highest management.
“To do”: Analyze whether you have an obligation to appoint the Data Protection Officer. If your business is a part of a larger group, consider whether a single Data Protection Officer should be appointed for all group companies.
If you have any questions regarding the GDPR and its implementation, please contact one of the authors listed below or your usual Barger Prekop contact.
This document is of a purely informative nature and cannot be construed as legal advice or legal analysis.
Banking & Finance
|This document is of a purely informative nature and cannot be construed as legal advice or legal analysis.|